m0nsterz
asked on
Impersonate Username
Hi all,
First of all thank you Experts Exchange, I can always count on this site for an answer to my problems.
My problem is that I have a program that accesses a folder on a linux running samba. I want to pass the username and password of a network user via VB6 code so that only the program has access to the samba share. I do not want individual users to have access to these shares. I have searched the net and have only come up with a dll called SFImpersonator but not sure how to incorperate this into my code.
Thanks in advance
First of all thank you Experts Exchange, I can always count on this site for an answer to my problems.
My problem is that I have a program that accesses a folder on a linux running samba. I want to pass the username and password of a network user via VB6 code so that only the program has access to the samba share. I do not want individual users to have access to these shares. I have searched the net and have only come up with a dll called SFImpersonator but not sure how to incorperate this into my code.
Thanks in advance
I don't know anything about Linux or Samba. If you can explain to me how a VB program connects to a share on Linux/Samba, then I might be able to help you figure out how to do this.
ASKER
Hi BlueDevilFan
Maybe I should rephrase my question. I think that if I was accessing a share on a Windows 2000 server the code would be exactly the same. Basically what I have is a database running on a server (whether it be Linux or windows 200) makes little difference, as samba makes windows think that the linux server is a windows server) and the front end program is running on a users computer. I want the program to access the database but I don't want to explicitly give the user permission to access the database. It is almost like having an Application account on SQL server, except this has an access database instead. So I want the program when it runs to change the user name and password that it passes to the server to one that has permissions to access the database and when the program closes it changes the user name back to what it was before and the user will be none the wiser.
I hope this explains things a little better.
Maybe I should rephrase my question. I think that if I was accessing a share on a Windows 2000 server the code would be exactly the same. Basically what I have is a database running on a server (whether it be Linux or windows 200) makes little difference, as samba makes windows think that the linux server is a windows server) and the front end program is running on a users computer. I want the program to access the database but I don't want to explicitly give the user permission to access the database. It is almost like having an Application account on SQL server, except this has an access database instead. So I want the program when it runs to change the user name and password that it passes to the server to one that has permissions to access the database and when the program closes it changes the user name back to what it was before and the user will be none the wiser.
I hope this explains things a little better.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh, a don't forget to add a reference to Windows Script Host Object Model to your program.
ASKER
I will give this a try and let you know later on today. Thanks for the quick response
ASKER
Hi BlueDevilFan
Sorry for the delay in the reply but I had to go out of the office for a few days. I have tried your code manually and it works fine, but is there any way of doing this without mapping a drive. If the drive is mapped when the program is open then anyone can get onto the server.
Sorry for the delay in the reply but I had to go out of the office for a few days. I have tried your code manually and it works fine, but is there any way of doing this without mapping a drive. If the drive is mapped when the program is open then anyone can get onto the server.
No problem on the delay. What you want is for the program to be able to access the share but not the user. That's more a little more complicated. The only way I can think of off the top of my head is to use the programming equivilent of the Runas command. Runas allows for a program to be run in a different security context (i.e. under a diffferent account). It's great for an administrator who may need to run a program under his/her admin account at a user's workstation, saving the need to log the user off and log on as themself. The same capability can be written into a program. What it'll mean though is that you'll need two programs. The first program will be the one the user launches. It'll be very small and simple since all it'll do is spawn the second program. But, it'll spawn the second program under a different account, an account that'll have access to the share, which in turn gives the second program access to the share. Since the program is running in a different security context from that of the user, the program will enjoy access to the share while the user running it will not. The real issue becomes one of how to store the password for the account the program will use. If you embed it in the program, then a password change means you have to recompile the program with the new password and issue a new executable to all users of the program. The alternative to that is to read the password from a file. Of course if you store the password as clear-text, then anyone who can find the file and knows the account it goes with now has access to the share. Naturally you can encrypt the password and then write it into a file. That improves security but the password is still out there and most security types usually get nervous about that sort of thing.
Another approach would be to go client-server. The server would sit on the machine where the share is and the client would talk to it. This simplifies the authentication problem, but, depending on what you want to accomplish, coding the server could be a more significant issue. Or, you could write a service that'd run on the client computer. This would work just like client-server would only both components would be on the local computer rather than one on the client and the other on the computer where the share is. Let me know which approach you'd like to take and I'll do what I can to help you with it.
Another approach would be to go client-server. The server would sit on the machine where the share is and the client would talk to it. This simplifies the authentication problem, but, depending on what you want to accomplish, coding the server could be a more significant issue. Or, you could write a service that'd run on the client computer. This would work just like client-server would only both components would be on the local computer rather than one on the client and the other on the computer where the share is. Let me know which approach you'd like to take and I'll do what I can to help you with it.
ASKER
I like the Runas, but would this work on a Windows 98 machine, as this is th OS that the program is running on. Is it not possible to hide the mapped drive coz if so this would work for me.
Could you elaborate on how the service would work with the authentication on the server.
Thanks for the time you are spending to help me out, much appreciated.
Could you elaborate on how the service would work with the authentication on the server.
Thanks for the time you are spending to help me out, much appreciated.
To the best of my knowledge Runas is an NT/2000/XP/2003 concept. There's nothing I know of like it in Win98, so Runas is out of the picture. Is it possible to hide the mapped drive? I was thinking about that when I wrote my earlier post. There are various utilities that allow you to hide a drive letter, but I don't know of a way to do it from a program. Let me think about it and see if I can come up with anything.
If this needs to run from Win98, then a service isn't the answer. I'll answer your question though in another post. Sorry, but I have to run right now.
You're welcome. Glad to help out.
If this needs to run from Win98, then a service isn't the answer. I'll answer your question though in another post. Sorry, but I have to run right now.
You're welcome. Glad to help out.
ASKER